Info@NationalCyberSecurity
Info@NationalCyberSecurity
0

Dallas doles out $8.5M to remediate May ransomware attack | #ransomware | #cybercrime


The City of Dallas allocated $8.5 million for remediation and clean-up costs following a Royal ransomware attack in May that caused prolonged disruptions to many city services, though it remains unclear if that sum will be sufficient.

On May 3, the city disclosed it suffered a ransomware attack that affected fewer than 200 devices and led to service outages for the Dallas Police Department website, payment card services, Dallas Fire Rescue alerting services and the city’s court systems. Disruptions persisted for more than one month as the city worked to restore systems and determine the extent of data exfiltration. In early June, the city confirmed more than 97% of its network had been restored.

Last week, the city released a report titled “Ransomware Incident: May 2023 Incident Remediation Efforts and Resolution” that shed light on the initial attack vector, the attack timeline, and the tools and techniques used by Royal ransomware threat actors. The report revealed the Dallas City Council approved an $8.5 million budget for mitigation and recovery efforts.

However, the sum may not be enough to undo the damage Royal caused by encrypting systems and stealing sensitive data that included private health data and health insurance information.

The report noted the $8.5 million allocated funds included external cybersecurity professional services, identity theft and fraud protection services, and breach notification services used for affected parties. So far, the attack may have affected 30,253 individuals.

“As noted above, the City’s current approved budget for the remediation of the Royal ransomware event is presently set to not exceed $8.5 million,”” the City of Dallas wrote in the report. “The Dallas City Council was supportive and understanding in providing this initial budget amount as they understood that the attack response was ongoing and could extend significantly past the initial time and budget estimates.”

While it remains unclear how much of the budget has been spent so far, the report did confirm that attackers were in the city’s network from April 7 to at least May 3 when the city initially detected the attack. Royal operators gained initial access by compromising a basic service domain account that was connected to city servers. Subsequently, the threat actors performed lateral movement by using legitimate third-party remote management tools and penetration testing technologies.

The report emphasized the threat actors’ deployment of command-and-control beacons inside the city’s network for several weeks prior to the ransomware attack. The beacons were presumably part of Fortra’s Cobalt Strike penetration testing suite, which the report referenced as a commonly used toolset for Royal actors, and were primarily used during the surveillance stage of the attack.

“Using its previously deployed beacons, Royal began moving through the City’s network and encrypting an apparently prioritized list of servers using legitimate Microsoft system administrative tools,” the report said.

A trend of compromised credentials

Like many recent attacks such as the breaches against Las Vegas casinos this month, the Royal ransomware attack against the City of Dallas involved compromised credentials. The report did not state how the service account was compromised. However, recent phishing and vishing attacks have demonstrated threat actors’ vast knowledge of the victim organizations, which they’ve used to trick employees into giving up credentials and other sensitive information.

During BlackHat USA 2023, CrowdStrike warned of surge in identity-based attacks. The vendor’s 2023 Threat Hunting Report found 62% of interactive intrusions involved the abuse of active accounts.

Thomas Etheridge, chief global professional services officer at CrowdStrike, said that 80% of the intrusions CrowdStrike observed in 2022 involved compromised identities. He added that the Threat Hunting Report showed a 312% increase in adversarial use of remote monitoring and management tools.

“Organizations must implement identity-based countermeasures such as user account audits, zero-trust frameworks and increased analysis of security logs and network traffic to identify vulnerabilities that could potentially expose organizations,” Etheridge said in an email to TechTarget Editorial.

Prior to the attack, the City of Dallas said it invested in CrowdStrike’s endpoint detection and response (EDR) in response to a rapidly changing cyber threat landscape. Despite attackers evolving EDR evasion techniques, EDR implementation remains critical and is often a requirement to obtain cyber insurance policies.

While CrowdStrike blocked some malicious activity, according to the report timeline, it appears Royal operators were somewhat successful in evading defenses during the ransomware attack stage.

“The ITS [incident support team] team expediently initiated 24/7-hour around the clock rotating scheduled with efforts for an immediate trajectory of recuperation and reconstruction, constrained within the parameters of virtualized infrastructure environments,” the report said. “However, these endeavors necessitated a temporary pause due to the incomplete neutralization of the malicious executable’s through EDR and its ability to propagate throughout the network ecosystem.”

A reinfected server and the use of legacy software were other concerns highlighted in the report. Despite warnings that threat actors weaponize old vulnerabilities, the City of Dallas said many of its “applications and services are not operating the most current versions of the underlying software.” More alarmingly, the report said several “significant” applications and services in the city’s IT environment were running on versions that were no longer supported by their vendors.

ITS was deactivated as of June 9 and the City of Dallas said an estimated final cost should be provided by the end of this year. In addition to millions in restoration, the city has spent close to 40,000 hours mitigating the Royal ransomware attack.

The City of Dallas responded to requests for comment but did not provide additional information at press time.

Arielle Waldman is a Boston-based reporter covering enterprise security news.



Source link

National Cyber Security

FREE
VIEW